[Openswan Users] Openswan and Cisco 3030
Zohair Raza
engineerzuhairraza at gmail.com
Mon Jul 9 05:09:40 EDT 2012
Hi,
I have recently setup a VPN between openswan and Cisco 3030, it
connects without any issues but after some time the tunnel fails. I am
new to openswan and can not find the root cause or solution of this
problem even though I googled alot.
Please can someone help me out, here is my config and logs
openswan ipsec.conf:
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
# nat_traversal=yes
virtual_private=%v4:176.249.0.0/16
oe=off
myid=1.1.1.1
# Enable this if you see "failed to find any available worker"
# nhelpers=0
klipsdebug=none
plutodebug=none
keep_alive=50
interfaces=%defaultroute
openswan tunnel config:
conn TT-UK-1
left=2.2.2.2
leftsubnets={172.16.0.0/16 17.254.0.0/16 210.40.5.0/24}
right=1.1.1.1
rightsubnet=176.249.0.0/16
keyexchange=ike
pfs=no
rekey=yes
auto=start
authby=secret
phase2alg=3DES-SHA1
ike=3DES-SHA1
dpddelay=30
compress=no
type=tunnel
dpdtimeout=30
dpdaction=restart
salifetime=28800s
ikelifetime=86400s
Logs when tunnel fails :
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #10: DPD: No
response from peer - declaring peer dead
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #10: DPD:
Restarting Connection
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: rekeying
state (STATE_QUICK_R2)
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: rekeying
state (STATE_QUICK_I2)
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: rekeying
state (STATE_QUICK_R2)
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: ERROR:
netlink response for Del SA esp.2df00509 at 2.2.2.2 included errno 3: No
such process
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: ERROR:
netlink response for Del SA esp.3af14046 at 1.1.1.1 included errno 3: No
such process
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: rekeying
state (STATE_QUICK_I2)
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: ERROR:
netlink response for Del SA esp.8ad7896 at 2.2.2.2 included errno 3: No
such process
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: ERROR:
netlink response for Del SA esp.3a5f570a at 1.1.1.1 included errno 3: No
such process
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: initiating
Main Mode to replace #10
Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
176.249.3.10:17168 to 172.16.12.221:16824 proto=17 state: fos_start
because: acquire
Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
176.249.3.89:10138 to 172.16.12.221:19624 proto=17 state: fos_start
because: acquire
Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
176.249.3.1:11784 to 172.16.12.221:13598 proto=17 state: fos_start
because: acquire
Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
176.249.3.233:10068 to 172.16.12.221:10166 proto=17 state: fos_start
because: acquire
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
Vendor ID payload [FRAGMENTATION c0000000]
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
STATE_MAIN_I2: sent MI2, expecting MR2
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
Vendor ID payload [Cisco-Unity]
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
Vendor ID payload [XAUTH]
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
unknown Vendor ID payload [366b42f48b3b9dd8ac5c05fe5494759b]
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
Vendor ID payload [Cisco VPN 3000 Series]
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
STATE_MAIN_I3: sent MI3, expecting MR3
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
Vendor ID payload [Dead Peer Detection]
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: Main mode
peer ID is ID_IPV4_ADDR: '2.2.2.2'
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: Dead Peer
Detection (RFC 3706): enabled
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #14: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
isakmp#13 msgid:29e320e8 proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=no-pfs}
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #15: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
isakmp#13 msgid:0447f8ea proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=no-pfs}
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #16: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
isakmp#13 msgid:a01c9aed proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=no-pfs}
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #17: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
isakmp#13 msgid:532b0467 proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=no-pfs}
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #18: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #11
{using isakmp#13 msgid:581cfb6d proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=no-pfs}
Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
176.249.3.27:8 to 172.16.12.221:0 proto=1 state: fos_start because:
acquire
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #19: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
isakmp#13 msgid:c2b4c48c proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=no-pfs}
Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
176.249.0.1:8 to 172.16.12.221:0 proto=1 state: fos_start because:
acquire
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #20: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
isakmp#13 msgid:5c42e8f9 proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=no-pfs}
Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
176.249.3.44:52787 to 172.16.12.221:80 proto=6 state: fos_start
because: acquire
Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #21: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
isakmp#13 msgid:bf505abf proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=no-pfs}
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #10: received
Delete SA payload: deleting ISAKMP State #10
Jul 5 19:39:12 router-TT pluto[60606]: packet from 2.2.2.2:500:
received and ignored informational message
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16: Dead Peer
Detection (RFC 3706): enabled
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x13552476 <0xbd4999bd xfrm=3DES_0-HMAC_SHA1 NATOA=none
NATD=none DPD=enabled}
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14: Dead Peer
Detection (RFC 3706): enabled
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x4497ed1c <0x1d1db8f2 xfrm=3DES_0-HMAC_SHA1 NATOA=none
NATD=none DPD=enabled}
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15: Dead Peer
Detection (RFC 3706): enabled
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x1ee0fa85 <0xd7656b45 xfrm=3DES_0-HMAC_SHA1 NATOA=none
NATD=none DPD=enabled}
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17: Dead Peer
Detection (RFC 3706): enabled
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x29dd0baa <0xfccca15b xfrm=3DES_0-HMAC_SHA1 NATOA=none
NATD=none DPD=enabled}
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18: Dead Peer
Detection (RFC 3706): enabled
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x23a597eb <0x26804c4c xfrm=3DES_0-HMAC_SHA1 NATOA=none
NATD=none DPD=enabled}
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19: Dead Peer
Detection (RFC 3706): enabled
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x6f2ac97f <0xa16f2f01 xfrm=3DES_0-HMAC_SHA1 NATOA=none
NATD=none DPD=enabled}
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20: Dead Peer
Detection (RFC 3706): enabled
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x0a200766 <0x77bc128c xfrm=3DES_0-HMAC_SHA1 NATOA=none
NATD=none DPD=enabled}
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21: Dead Peer
Detection (RFC 3706): enabled
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x19bcc321 <0xb32bc1d8 xfrm=3DES_0-HMAC_SHA1 NATOA=none
NATD=none DPD=enabled}
Regards,
Zohair Raza
More information about the Users
mailing list